185 lines
6.9 KiB
Diff
185 lines
6.9 KiB
Diff
|
From d7a856097039b37e77a59aad66d6cdedc3eb6aee Mon Sep 17 00:00:00 2001
|
||
|
From: David Kupka <dkupka@redhat.com>
|
||
|
Date: Mon, 30 Mar 2015 04:17:55 -0400
|
||
|
Subject: [PATCH 2/3] Use mod_auth_gssapi instead of mod_auth_kerb.
|
||
|
|
||
|
https://fedorahosted.org/freeipa/ticket/4190
|
||
|
---
|
||
|
freeipa.spec.in | 4 +++-
|
||
|
init/systemd/ipa.conf.tmpfiles | 1 +
|
||
|
install/conf/ipa.conf | 16 +++++-----------
|
||
|
ipalib/session.py | 20 ++++++++++----------
|
||
|
ipaserver/rpcserver.py | 2 +-
|
||
|
5 files changed, 20 insertions(+), 23 deletions(-)
|
||
|
|
||
|
diff --git a/freeipa.spec.in b/freeipa.spec.in
|
||
|
index 546f3473c5ac8885c6df128b2e3793d76795e85b..8d58f2568e1de418c25cb1bd34fc7d4736a15e54 100644
|
||
|
--- a/freeipa.spec.in
|
||
|
+++ b/freeipa.spec.in
|
||
|
@@ -118,7 +118,7 @@ Requires: cyrus-sasl-gssapi%{?_isa}
|
||
|
Requires: ntp
|
||
|
Requires: httpd >= 2.4.6-6
|
||
|
Requires: mod_wsgi
|
||
|
-Requires: mod_auth_kerb >= 5.4-16
|
||
|
+Requires: mod_auth_gssapi >= 1.1.0-2
|
||
|
Requires: mod_nss >= 1.0.8-26
|
||
|
Requires: python-ldap >= 2.4.15
|
||
|
Requires: python-krbV
|
||
|
@@ -463,6 +463,7 @@ install -m 0644 init/systemd/ipa.conf.tmpfiles %{buildroot}%{_tmpfilesdir}/%{nam
|
||
|
mkdir -p %{buildroot}%{_localstatedir}/run/
|
||
|
install -d -m 0700 %{buildroot}%{_localstatedir}/run/ipa_memcached/
|
||
|
install -d -m 0700 %{buildroot}%{_localstatedir}/run/ipa/
|
||
|
+install -d -m 0700 %{buildroot}%{_localstatedir}/run/httpd/clientcaches
|
||
|
|
||
|
mkdir -p %{buildroot}%{_libdir}/krb5/plugins/libkrb5
|
||
|
touch %{buildroot}%{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so
|
||
|
@@ -680,6 +681,7 @@ fi
|
||
|
%config(noreplace) %{_sysconfdir}/sysconfig/ipa-ods-exporter
|
||
|
%dir %attr(0700,apache,apache) %{_localstatedir}/run/ipa_memcached/
|
||
|
%dir %attr(0700,root,root) %{_localstatedir}/run/ipa/
|
||
|
+%dir %attr(0700,apache,apache) %{_localstatedir}/run/httpd/clientcaches/
|
||
|
# NOTE: systemd specific section
|
||
|
%{_tmpfilesdir}/%{name}.conf
|
||
|
%attr(644,root,root) %{_unitdir}/ipa.service
|
||
|
diff --git a/init/systemd/ipa.conf.tmpfiles b/init/systemd/ipa.conf.tmpfiles
|
||
|
index 1e7a896ed8df00c97f2d092504e2a65960bb341d..b4503cc673f3407421cd194091f5373ba204a483 100644
|
||
|
--- a/init/systemd/ipa.conf.tmpfiles
|
||
|
+++ b/init/systemd/ipa.conf.tmpfiles
|
||
|
@@ -1,2 +1,3 @@
|
||
|
d /var/run/ipa_memcached 0700 apache apache
|
||
|
d /var/run/ipa 0700 root root
|
||
|
+d /var/run/httpd/clientcaches 0700 apache apache
|
||
|
diff --git a/install/conf/ipa.conf b/install/conf/ipa.conf
|
||
|
index 62ee955ecfe0be78a3bd377e5aa35a335681621f..871fab8248fcc1c3793ce71bdcb86720a7e31c61 100644
|
||
|
--- a/install/conf/ipa.conf
|
||
|
+++ b/install/conf/ipa.conf
|
||
|
@@ -3,7 +3,6 @@
|
||
|
#
|
||
|
# This file may be overwritten on upgrades.
|
||
|
#
|
||
|
-# LoadModule auth_kerb_module modules/mod_auth_kerb.so
|
||
|
|
||
|
ProxyRequests Off
|
||
|
|
||
|
@@ -61,19 +60,14 @@ WSGIScriptReloading Off
|
||
|
SetHandler None
|
||
|
</Location>
|
||
|
|
||
|
-KrbConstrainedDelegationLock ipa
|
||
|
-
|
||
|
# Protect /ipa and everything below it in webspace with Apache Kerberos auth
|
||
|
<Location "/ipa">
|
||
|
- AuthType Kerberos
|
||
|
+ AuthType GSSAPI
|
||
|
AuthName "Kerberos Login"
|
||
|
- KrbMethodNegotiate on
|
||
|
- KrbMethodK5Passwd off
|
||
|
- KrbServiceName HTTP
|
||
|
- KrbAuthRealms $REALM
|
||
|
- Krb5KeyTab /etc/httpd/conf/ipa.keytab
|
||
|
- KrbSaveCredentials on
|
||
|
- KrbConstrainedDelegation on
|
||
|
+ GssapiCredStore keytab:/etc/httpd/conf/ipa.keytab
|
||
|
+ GssapiCredStore client_keytab:/etc/httpd/conf/ipa.keytab
|
||
|
+ GssapiDelegCcacheDir /var/run/httpd/clientcaches
|
||
|
+ GssapiUseS4U2Proxy on
|
||
|
Require valid-user
|
||
|
ErrorDocument 401 /ipa/errors/unauthorized.html
|
||
|
</Location>
|
||
|
diff --git a/ipalib/session.py b/ipalib/session.py
|
||
|
index ae40fdfe189b3bfd5f0437c04efaab73ac31f88a..2f732b333375c837b931c6b16ccfc535e11d7e4c 100644
|
||
|
--- a/ipalib/session.py
|
||
|
+++ b/ipalib/session.py
|
||
|
@@ -484,7 +484,7 @@ improve authentication performance. First some definitions.
|
||
|
There are 4 major players:
|
||
|
|
||
|
1. client
|
||
|
- 2. mod_auth_kerb (in Apache process)
|
||
|
+ 2. mod_auth_gssapi (in Apache process)
|
||
|
3. wsgi handler (in IPA wsgi python process)
|
||
|
4. ds (directory server)
|
||
|
|
||
|
@@ -506,12 +506,12 @@ This describes how things work in our current system for the web UI.
|
||
|
|
||
|
2. Client sends post to /ipa/json.
|
||
|
|
||
|
- 3. mod_auth_kerb is configured to protect /ipa/json, replies 401
|
||
|
+ 3. mod_auth_gssapi is configured to protect /ipa/json, replies 401
|
||
|
authenticate negotiate.
|
||
|
|
||
|
4. Client resends with credentials
|
||
|
|
||
|
- 5. mod_auth_kerb validates credentials
|
||
|
+ 5. mod_auth_gssapi validates credentials
|
||
|
|
||
|
a. if invalid replies 403 access denied (stops here)
|
||
|
|
||
|
@@ -550,7 +550,7 @@ A few notes about the session implementation.
|
||
|
Changes to Apache's resource protection
|
||
|
---------------------------------------
|
||
|
|
||
|
- * /ipa/json is no longer protected by mod_auth_kerb. This is
|
||
|
+ * /ipa/json is no longer protected by mod_auth_gssapi. This is
|
||
|
necessary to avoid the negotiate expense in steps 3,4,5
|
||
|
above. Instead the /ipa/json resource will be protected in our wsgi
|
||
|
handler via the session cookie.
|
||
|
@@ -583,15 +583,15 @@ The new sequence is:
|
||
|
|
||
|
5. client sends request to /ipa/login to obtain session credentials
|
||
|
|
||
|
- 6. mod_auth_kerb replies 401 negotiate on /ipa/login
|
||
|
+ 6. mod_auth_gssapi replies 401 negotiate on /ipa/login
|
||
|
|
||
|
7. client sends credentials to /ipa/login
|
||
|
|
||
|
- 8. mod_auth_kerb validates credentials
|
||
|
+ 8. mod_auth_gssapi validates credentials
|
||
|
|
||
|
a. if valid
|
||
|
|
||
|
- - mod_auth_kerb permits access to /ipa/login. wsgi handler is
|
||
|
+ - mod_auth_gssapi permits access to /ipa/login. wsgi handler is
|
||
|
invoked and does the following:
|
||
|
|
||
|
* establishes session for client
|
||
|
@@ -600,7 +600,7 @@ The new sequence is:
|
||
|
|
||
|
a. if invalid
|
||
|
|
||
|
- - mod_auth_kerb sends 403 access denied (processing stops)
|
||
|
+ - mod_auth_gssapi sends 403 access denied (processing stops)
|
||
|
|
||
|
9. client now posts the same data again to /ipa/json including
|
||
|
session cookie. Processing repeats starting at step 2 and since
|
||
|
@@ -617,12 +617,12 @@ and xmlrpc API's are the same, they differ only on how their procedure
|
||
|
calls are marshalled and unmarshalled.
|
||
|
|
||
|
Under the new scheme /ipa/xml will continue to be Kerberos protected
|
||
|
-at all times. Apache's mod_auth_kerb will continue to require the
|
||
|
+at all times. Apache's mod_auth_gssapi will continue to require the
|
||
|
client provides valid Kerberos credentials.
|
||
|
|
||
|
When the WSGI handler routes to /ipa/xml the Kerberos credentials will
|
||
|
be extracted from the KRB5CCNAME environment variable as provided by
|
||
|
-mod_auth_kerb. Everything else remains the same.
|
||
|
+mod_auth_gssapi. Everything else remains the same.
|
||
|
|
||
|
'''
|
||
|
|
||
|
diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py
|
||
|
index d6bc955b9d9910a24eec5df1def579310eb54786..4173ed918d2ce992aa79d18b2ac3338b35388918 100644
|
||
|
--- a/ipaserver/rpcserver.py
|
||
|
+++ b/ipaserver/rpcserver.py
|
||
|
@@ -858,7 +858,7 @@ class login_kerberos(Backend, KerberosSession, HTTP_Status):
|
||
|
def __call__(self, environ, start_response):
|
||
|
self.debug('WSGI login_kerberos.__call__:')
|
||
|
|
||
|
- # Get the ccache created by mod_auth_kerb
|
||
|
+ # Get the ccache created by mod_auth_gssapi
|
||
|
user_ccache_name=environ.get('KRB5CCNAME')
|
||
|
if user_ccache_name is None:
|
||
|
return self.internal_error(environ, start_response,
|
||
|
--
|
||
|
2.3.4
|
||
|
|